Last updated: March 11, 2025

SCWE-023: Lack of Communication Authenticity

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-20: Improper Input Validation
  CWE-20 Link

Description

Lack of communication authenticity refers to the failure to verify the authenticity of messages or transactions. This can lead to: - Unauthorized actions by malicious actors. - Loss of funds or data. - Exploitation of the contract's logic.

Remediation

• Use signatures: Require signed messages for critical actions.
• Validate inputs: Ensure all messages are properly validated before processing.
• Implement secure communication: Use secure protocols and libraries for communication.

Examples

• Lack of Authenticity

  pragma solidity ^0.8.0;
  
  contract NoAuthenticity {
      function processMessage(bytes memory message) public {
          // Process message without authenticity check
      }
  }
  

• Authentic Communication

  pragma solidity ^0.8.0;
  
  import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
  
  contract AuthenticCommunication {
      using ECDSA for bytes32;
  
      function processMessage(bytes memory message, bytes memory signature) public {
          bytes32 messageHash = keccak256(message);
          address signer = messageHash.recover(signature);
          require(signer == msg.sender, "Invalid signature");
          // Process message
      }
  }
  

---